[PATCH] New idmap backend that generates id's the way OS X does
john at ixsystems.com
Sat Oct 1 21:03:42 UTC 2016
On Wed, Sep 21, 2016 at 02:16:12PM -0700, Ralph Böhme wrote:
> On Wed, Sep 21, 2016 at 04:01:27AM -0700, John Hixson wrote:
> > On Tue, Sep 20, 2016 at 09:54:20AM -0700, Ralph Böhme wrote:
> > > Hi John
> > >
> > > On Tue, Sep 20, 2016 at 07:13:51AM -0700, John Hixson wrote:
> > > > I wrote this for FreeNAS and want to know if you guys can use it?
> > >
> > > Does this actually work at all? To me it looks like in
> > > idmap_fruit_unixids_to_sids() you're missing to prime the synthesized
> > > SIDs in the struct id_map array.
> > Yes, it actually works. Can you elaborate more on this?
> well, maybe I'm to stupid due to attending SDC and still recovering
> from jetlag (and Bennigan's), but with the patchset you posted (infact
> just applying patch 3/3) this is what I get:
> slow at member1:~/samba/master$ sudo ./bin/wbinfo -S S-1-5-21-3152989960-574718769-2188965058-500
> slow at member1:~/samba/master$ sudo ./bin/wbinfo -U 2002901632
> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert uid 2002901632 to sid
[root at freenas910 ~]# wbinfo -n 'IX\john'
S-1-5-21-2616990854-1186095534-2674637157-1114 SID_USER (1)
[root at freenas910 ~]# wbinfo -S
[root at freenas910 ~]# wbinfo -U 426797067
So is this something anyone is interested in? If not I will leave you
all alone, return to my basement with my stapler and continue on with my
> [2016/09/21 13:15:46.668334, 1, pid=12118, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids
> in: struct wbint_UnixIDs2Sids
> domain_name : *
> domain_name : 'hillhouse'
> num_ids : 0x00000001 (1)
> xids: ARRAY(1)
> xids: struct unixid
> id : 0x7761da80 (2002901632)
> type : ID_TYPE_UID (1)
> [2016/09/21 13:15:46.668370, 10, pid=12118, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:509(idmap_find_domain)
> idmap_find_domain called for domain 'hillhouse'
> [2016/09/21 13:15:46.668382, 7, pid=12118, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:62(ads_cached_connection_reuse)
> Current tickets expire in 35887 seconds (at 1474524833, time is now 1474488946)
> [2016/09/21 13:15:46.668392, 0, pid=12118, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_fruit.c:216(idmap_fruit_unixids_to_sids)
> idmap_fruit_unixids_to_sids: SID [S-0-0]
> [2016/09/21 13:15:46.669477, 5, pid=12118, effective(0, 0), real(0, 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
> Search for (|(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370))(|(objectSid=S-0-0)))) in <dc=HILLHOUSE,dc=SITE> gave 0 replies
> [2016/09/21 13:15:46.669503, 10, pid=12118, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_fruit.c:282(idmap_fruit_unixids_to_sids)
> No IDs found
> I imagine the filter should be built from the synthesized objectGUID,
> not the objectSid? Wrong patchset posted?
> > > I also thought about adding such an idmap module before but I always
> > > choke at the point where I realized that this can cause collisions and
> > > it doesn't support idmap number ranges, so it can generate mappings
> > > with xids from other idmap backends.
> > When I set out to do this, I found an article stating that the current
> > OS X scheme indeed can have collisions.
> Do you have a link to this article?
> > Is it a feature or a bug that this can reproduce the same behavior?
> > ;-)
> The real problem I see comes from the fact that on a client the risk
> of a collision will be much lower compared to a server.
> This has security implications, users with colliding ids will be able
> to access each others file. How do you deal with that?
> > > What do you do for two sids
> > >
> > > 01020304-a390-44b3-a658-1e0623d09332
> > > 01020304-90ed-4dd2-9cdc-c21b21aace2d
> > >
> > > Or
> > >
> > > 00000000-90ed-4dd2-9cdc-c21b21aace2d
> > Eww. This is nasty indeed. Perhaps user id 0 can be a special case?
> What about all other local ids from /etc/passwd? What about not being
> able to map well-known, builtin and local SAM?
> > I wrote this code for certain people who use FreeNAS + Active
> > Directory and use SMB and AFP together with NFSv4 ACL's on the SMB
> > shares and want those to work on AFP as well.
> Well, as you know, on the server they work anyway, it's just you wont
> be able to see them on the client if ids don't match for AFP clients,
> right? The thing is, if your AFP clients enter the mode where they
> think ids match and they start fetching ACLs and requisting extended
> permission checks via FPAccess, you take a performance hit. At least
> that was my take away when I implemented the ACL stuff in Netatalk and
> I saw the clients doing FPAccess checks like crazy. I would just stay
> away from it these days. :)
More information about the samba-technical